Troubleshooting Active Directory Replication Issues

How to Check Domain Controller Syncronization

Check replication summary

[TEST-DC02]: PS C:\Users\testadmin\Documents> Repadmin /replsummary
Replication Summary Start Time: 1998-02-30 14:00:48
Beginning data collection for replication summary, this may take awhile:
  ........................
Source DSA          largest delta    fails/total %%   error
 LAX-CORPDC03              08m:36s    0 /  10    0
 LAX-CORPDC04              11m:36s    0 /   5    0
 CA-CORPDC01               13m:32s    0 /  60    0
 CA-CORPDC02               13m:32s    0 /  65    0
 CA-CORPDC03               13m:32s    0 /  50    0
 IRV-CORPDC04              08m:36s    0 /   5    0
 AZ-CORPDC01               06m:27s    0 /  10    0
 AZ-CORPDC02               09m:32s    0 /  15    0
 FLA-CORPDC04          01h:53m:35s    5 /   5  100  (1727) The remote procedure call failed and did not execute.
 TEST-DC01                   13m:26s    0 /  15    0
 bbc-CORPDC01              07m:47s    0 /   5    0
 CONG-BRK-DC01             08m:34s    0 /   5    0
 CONG-PLS-DC01             13m:29s    0 /  10    0
 MON-CORPDC01              08m:35s    0 /   5    0
 MO-CORPDC01               15m:04s    0 /  20    0
 MO-CORPDC02               13m:28s    0 /  15    0

Destination DSA     largest delta    fails/total %%   error
 LAX-CORPDC03              13m:13s    0 /  15    0
 LAX-CORPDC04              09m:48s    0 /  15    0
 CA-CORPDC01               13m:29s    0 /  40    0
 CA-CORPDC02               01m:57s    0 /  40    0
 CA-CORPDC03           01h:53m:41s    5 /  45   11  (1727) The remote procedure call failed and did not execute.
 IRV-CORPDC04              10m:12s    0 /  10    0
 AZ-CORPDC01               10m:44s    0 /  25    0
 AZ-CORPDC02               07m:40s    0 /  25    0
 TEST-DC02                   10m:26s    0 /  20    0
 MON-CORPDC01              12m:39s    0 /  15    0
 MO-CORPDC01               14m:03s    0 /  20    0
 MO-CORPDC02               15m:09s    0 /  20    0

Check replication health

TEST-DC02]: PS C:\Users\testadmin\Documents> Repadmin /Showrepl
Repadmin: running command /Showrepl against full DC localhost
Phoenix\TEST-DC02
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 
DSA invocationID: 

==== INBOUND NEIGHBORS ======================================
DC=hooli,DC=net
    Phoenix\TEST-DC01 via RPC
        DSA object GUID: 
        Last attempt @ 1998-02-30 13:51:36 was successful.
    Brazil\CA-CORPDC02 via RPC
        DSA object GUID:
        Last attempt @ 1998-02-30 13:51:39 was successful.
    Brazil\CA-CORPDC01 via RPC
        DSA object GUID:
        Last attempt @ 1998-02-30 13:51:39 was successful.
    Brazil\CA-CORPDC03 via RPC
        DSA object GUID: 
        Last attempt @ 1998-02-30 13:51:39 was successful.

CN=Configuration,DC=hooli,DC=net
    Phoenix\TEST-DC01 via RPC
        DSA object GUID:
        Last attempt @ 1998-02-30 13:51:36 was successful.
    Brazil\CA-CORPDC02 via RPC
        DSA object GUID:
        Last attempt @ 1998-02-30 13:51:37 was successful.
    Brazil\CA-CORPDC01 via RPC
        DSA object GUID:
        Last attempt @ 1998-02-30 13:51:38 was successful.
    Brazil\CA-CORPDC03 via RPC
        DSA object GUID:
        Last attempt @ 1998-02-30 13:51:39 was successful.
CN=Schema,CN=Configuration,DC=hooli,DC=net
    Phoenix\TEST-DC01 via RPC
        DSA object GUID:
        Last attempt @ 1998-02-30 13:51:36 was successful.
    Brazil\CA-CORPDC02 via RPC
        DSA object GUID:
        Last attempt @ 1998-02-30 13:51:39 was successful.
    Brazil\CA-CORPDC01 via RPC
        DSA object GUID:
        Last attempt @ 1998-02-30 13:51:39 was successful.
    Brazil\CA-CORPDC03 via RPC
        DSA object GUID:
        Last attempt @ 1998-02-30 13:51:39 was successful.

DC=DomainDnsZones,DC=hooli,DC=net
    Phoenix\TEST-DC01 via RPC
        DSA object GUID:
        Last attempt @ 1998-02-30 13:51:36 was successful.
    Brazil\CA-CORPDC02 via RPC
        DSA object GUID:
        Last attempt @ 1998-02-30 13:51:39 was successful.
    Brazil\CA-CORPDC01 via RPC
        DSA object GUID:
        Last attempt @ 1998-02-30 13:51:39 was successful.
    Brazil\CA-CORPDC03 via RPC
        DSA object GUID:
        Last attempt @ 1998-02-30 13:51:39 was successful.
DC=ForestDnsZones,DC=hooli,DC=net
    Phoenix\TEST-DC01 via RPC
        DSA object GUID: 
        Last attempt @ 1998-02-30 13:51:36 was successful.
    Brazil\CA-CORPDC02 via RPC
        DSA object GUID:
        Last attempt @ 1998-02-30 13:51:39 was successful.
    Brazil\CA-CORPDC01 via RPC
        DSA object GUID: 
        Last attempt @ 1998-02-30 13:51:40 was successful.
    Brazil\CA-CORPDC03 via RPC
        DSA object GUID:
        Last attempt @ 1998-02-30 13:51:40 was successful.

Attempt to Trigger a Replication

[TEST-DC02]: PS C:\Users\testadmin\Documents> Repadmin /syncall
CALLBACK MESSAGE: Error contacting server ._msdcs.hooli.net (network error): 1722 (0x6ba):
    The RPC server is unavailable.
CALLBACK MESSAGE: SyncAll Finished.
SyncAll reported the following errors:
Error contacting server ._msdcs.hooli.net (network error): 1722 (0x6ba):
    The RPC server is unavailable.

Perform Diagnostics

[TEST-DC02]: PS C:\Users\testadmin\Documents> DCDIAG /TEST:DNS
Directory Server Diagnosis
Performing initial setup:
   Trying to find home server...
   Home Server = TEST-DC02
   * Identified AD Forest.
   Done gathering initial info.
Doing initial required tests
   Testing server: Phoenix\TEST-DC02
      Starting test: Connectivity
         ......................... TEST-DC02 passed test Connectivity
Doing primary tests
   Testing server: Phoenix\TEST-DC02
      Starting test: DNS
         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... TEST-DC02 passed test DNS
   Running partition tests on : ForestDnsZones
   Running partition tests on : DomainDnsZones
   Running partition tests on : Schema
   Running partition tests on : Configuration
   Running partition tests on : hooli
   Running enterprise tests on : hooli.net
      Starting test: DNS
         Test results for domain controllers:
            DC: TEST-DC02.hooli.net
            Domain: hooli.net
               TEST: Basic (Basc)
                  Warning: Adapter has dynamic IP address
                  (can be a misconfiguration)
                  Warning: adapter [00000012] Microsoft Hyper-V Network Adapter
                  has invalid DNS server: 10.100.500.200 (TEST-DC02)
               TEST: Delegations (Del)
                  Error: DNS server: corpdc02.hooli.net. IP:<Unavailable>
                  [Missing glue A record]
                  Error: DNS server: corpdc03.hooli.net. IP:<Unavailable>
                  [Missing glue A record]
               TEST: Dynamic update (Dyn)
                  Warning: Failed to add the test record dcdiag-test-record in zone hooli.net
               TEST: Records registration (RReg)
                  Network Adapter [00000012] Microsoft Hyper-V Network Adapter:
                     Warning:
                     Missing SRV record at DNS server 10.100.500.007:
                     _ldap._tcp.hooli.net
                     Warning:
                     Missing SRV record at DNS server 10.100.500.007:
                     _ldap._tcp.domains._msdcs.hooli.net
                     Warning:
                     Missing SRV record at DNS server 10.100.500.007:
                     _kerberos._tcp.dc._msdcs.hooli.net
                     Warning:
                     Missing SRV record at DNS server 10.100.500.007:
                     _ldap._tcp.dc._msdcs.hooli.net
                     Warning:
                     Missing SRV record at DNS server 10.100.500.007:
                     _kpasswd._tcp.hooli.net
                     Warning:
                     Missing A record at DNS server 10.100.500.007:
                     gc._msdcs.hooli.net
               Error: Record registrations cannot be found for all the network adapters
         Summary of test results for DNS servers used by the above domain
         controllers:
            DNS server: 10.100.500.200 (TEST-DC02)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 10.100.500.200 Name resolution is not functional. _ldap._tcp.hooli.net. failed on the DNS server 10.100.500.200
         Summary of DNS test results:
                                            Auth Basc Forw Del  Dyn  RReg Ext
         _________________________________________________________________
            Domain: hooli.net
               TEST-DC02                      PASS WARN PASS FAIL WARN FAIL n/a
         ......................... hooli.net failed test DNS

Correct the IP Address of Domain Controller

# Query for network cards
[TEST-DC02]: PS C:\Users\testadmin\Documents> Get-NetAdapter
Name                      InterfaceDescription                    ifIndex Status       MacAddress             LinkSpeed
----                      --------------------                    ------- ------       ----------             ---------
Ethernet 2                Microsoft Hyper-V Network Adapter #2         15 Up                                    10 Gbps
# Set Static IP while login as console session, not RDP
$ipParams = @{
    InterfaceIndex = 15
    IPAddress = '10.100.500.200'
    PrefixLength = 22
    DefaultGateway = '10.100.500.1'
    AddressFamily = 'IPv4'
}
New-NetIPAddress @ipParams
Set-NetIPInterface -InterfaceAlias 'Ethernet 2' -Dhcp Disabled
$dnsParams = @{
    InterfaceIndex = 8
    ServerAddresses = ("8.8.8.8","8.8.4.4")
    }
Set-DnsClientServerAddress @dnsParams
Clear-DnsClientCache
Register-DnsClient # Trigger IP to hostname registration update toward DNS Server

Reconnect to Domain Controller from a Client PC to Validate Successful Configuration

# Clear cache and reconnect
ipconfig /flushdns
enter-pssession TEST-DC02

# Retrigger replication
[TEST-DC02]: PS C:\Users\testadmin\Documents> Repadmin /syncall
CALLBACK MESSAGE: The following replication is in progress:
    From: ._msdcs.hooli.net
    To  : ._msdcs.hooli.net
CALLBACK MESSAGE: The following replication completed successfully:
    From: ._msdcs.hooli.net
    To  : ._msdcs.hooli.net
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

Fix Issue with Active Directory Users and Computers Management Console

# Error message when running ADUC from a member server
---------------------------
Active Directory Domain Services
---------------------------
Naming information cannot be located because: 
The system cannot contact a domain controller to service the authentication request. Please try again later.
Contact your system administrator to verify that your domain is properly configured and is currently online.
---------------------------
OK   
---------------------------
# Test connectivity toward DC on a known Lightweight LDAP port
PS C:\Windows\system32> test-netconnection 10.100.500.007 -port 389 -informationlevel quiet
False

# Querying for domain controllers from the member server to validate problem
PS C:\Windows\system32> netdom query fsmo
The RPC server is unavailable.
The command failed to complete successfully.

# Disable TCP/IP filtering - not the solution
# $securityFilterHive='REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters'
# $securityFilterKey='EnableSecurityFilters'
# reg add $securityFilterHive /v $securityFilterKey /t REG_DWORD /d 0
# Solution: 
Ensure that the domain controller IP addresses are setup correctly. It may not be obvious, but mistaking a netmask of /24 for a /22 as specified by networking configs in AD will cause Lightweight LDAP to break.

Leave a Reply

Your email address will not be published. Required fields are marked *